Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 11 Mar 2007 01:38:07 GMT
From:      Dmitro Tarasyuk<t@dim.kiev.ua>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/110174: pf pass route-to does not assign correct IP for the packets created on the same pf-host
Message-ID:  <200703110138.l2B1c7ZO021023@www.freebsd.org>
Resent-Message-ID: <200703110140.l2B1e5HY080436@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         110174
>Category:       kern
>Synopsis:       pf pass route-to does not assign correct IP for the packets created on the same pf-host
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 11 01:40:05 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Dmitro Tarasyuk
>Release:        6.2
>Organization:
NDIASB
>Environment:
FreeBSD ndiasb.kiev.ua 6.2-STABLE FreeBSD 6.2-STABLE #2: Tue Feb 20 16:08:32 EET 2007     su@ndiasb.kiev.ua:/usr/src/sys/i386/compile/NDIASB  i386

>Description:
FreeBSD was installed as NAT server, transparent proxy squid server for the local network with 3 interfaces, one for LAN and $if1 and $if2 for the ISP1 and ISP2. 

Default route is assigned to the $if1_gw.

Rules into pf.conf below have to provide traffic splitting through table "xnets". 

table <xnets> perist
..
pass out quick log on $if1 fastroute inet from $if1 to <xnets> keep state
pass out quick log on $if1 route-to ( $if2 $if2_gw ) inet from $if1 to ! <xnets> keep state

It mean I want to route packets _created_on_the_same_server_ where pf works through $if2 interface if destination IP does not belong to the table "xnet". Otherwise they have to be routed in standard way and must go through $if1 as default.

If the packet is created in the local server without assigning source IP address (widespread case), system has to assign source IP in compliance with the routing table. When this packet satisfies the route-to rule above, obviously pf have to change source IP with IP of the $if2, not $if1. But tcpdump shows that it is wrong. I think this is the bug.
>How-To-Repeat:
Always
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703110138.l2B1c7ZO021023>